What’s happening is that some criminal gang out there is installing a hacked version of the Google Toolbar via stealth on a relatively small number of systems. Ostensibly, this is to give them the aura of legitimacy for their own nefarious means (for example, getting people to think they’re using Google, when in fact, they’re using something else).

The important question is: Why is this different than stealth installs by adware companies?

Why is this an important question? Because adware/spyware companies will inevitably point to this install as being something that makes them innocent of stealth installs that occur from their own affiliates and distributors (“you see, it’s even happened to Google, we’re all the victims of rogue distributors”, etc.). In fact, we’ve already had one adware company approach us on this issue.

There are vast differences between this single unauthorized install of the Google Toolbar and the massive number of illegal force-installs (to say nothing of the continuing installs with sub-standard, inadequate notice and disclosure) that have been going on for years by some adware/spyware companies.

For example:

1. This Google Toolbar install is completely unauthorized

The bad guys installing Google Toolbar are doing it without any participation or knowledge on Google’s part whatsoever. The toolbar itself is not even being pulled from Google’s servers. It’s a hacked version being installed from the bad guys’ own servers. That’s quite a bit different from non-consensual adware installs, which sees the bad guys operating within adware companies’ own affiliate distribution channels and using adware companies’ own installers and servers to install software.

2. Google is the innocent victim here

At the heart of this rogue install is a HOSTS file hijack that directs network requests for Google to the bad guys’ own servers. Thus, these installs are being used to spoof Google and hijack traffic away from Google’s sites and services. Google derives no benefit whatsoever from these hijacks, even unintentionally or unwittingly. Rather, it suffers as a result of these hijacks, which exploit Google’s good name even as traffic is driven away from their sites and services. Again, this is quite in contrast to non-consensual adware installs, where adware most certainly does derive economic benefit from force-installs, which expand an adware company’s advertising base and drive traffic to its sites and services.

3. Google did nothing to incentivize these hijacks

Google is not paying for these installs and the motive behind them is not to get paid by Google, quite unlike non-consensual adware installs, which occur precisely because adware companies’ provide the economic incentive to perform stealth installs of adware software (best example: installs of adware/spyware through bot-nets).

Google’s hands are clean; the hands of a number adware company’s are most certainly not. We predict that no one in the security community will be wringing their hands over whether to target Google toolbar for detection and removal, because this install (including all the accompanying malware files) is easily distinguished from legitimate Google Toolbar installs.

Alex Eckelberry(Thanks to Eric Howes for his extensive contribution to this post).